feat: validate combination of object type and privilege in PrivilegeDef
At the later stage I discovered that sbroad applies the same validation rules during parsing of grant/revoke statements and even its own Privilege enum that is a ~copy of our PrivilegeType. Unfortunately at the moment there is no way to share code between picodata and sbroad efficiently (now only tarantool-module is shared and it is not suitable for such kind of things) so it still makes sense to have this in picodata because this is the point where all APIs converge to the single point (CaS). In the future all other ways of validation should be removed. Aside from sbroad similar kind of validation is performed independently on lua API side. Note that in prior commit 45ba7392 we've removed all privileges from role super. This patch removes privileges from admin that do not match the model: namely all privileges on universe except session and usage. With this patch it is no longer possible to grant or revoke such privileges.
Showing
- src/access_control.rs 4 additions, 2 deletionssrc/access_control.rs
- src/schema.rs 127 additions, 28 deletionssrc/schema.rs
- src/sql.rs 6 additions, 3 deletionssrc/sql.rs
- src/storage.rs 2 additions, 3 deletionssrc/storage.rs
- test/conftest.py 26 additions, 0 deletionstest/conftest.py
- test/int/test_acl.py 19 additions, 20 deletionstest/int/test_acl.py
- test/int/test_basics.py 14 additions, 22 deletionstest/int/test_basics.py
- test/int/test_sql.py 0 additions, 5 deletionstest/int/test_sql.py
Loading